raccoon | 0379ee5acb117a629b1b0483986578dea456c2cc58b053a2a4a1f6666853908b

Analysis

max time kernel
142s
max time network
50s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppSetup/Setup.exe
Size

733.1MB
MD5

d5bb80569e355d6e65de761d46b39da0
SHA1

8731c0883164cc951e3e80be5c64ef09400324a7
SHA256

213ec8ae881fbf7821c8e6574f37452bc6bb92f93ac634aa43adb5300138e614
SHA512

1b3593c746b79a056c15b7fe8c91c2f38685bb32eb924e34d94ba64c42cf41014ba52f2ef2bc8140837fb05f2fa04ffce92ca694c72faf9461cab88fbf805d9d
SSDEEP

393216:fCnzmUSYCLfqwNh5kbGUf/t1ow5QnBE6Ye:fJUSrLS8hObGUdf50a7e

Score

10^/10

raccoon 717609e6131226f92ce8ce08c34305be discovery persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

717609e6131226f92ce8ce08c34305be

http://45.9.74.170

http://77.73.134.43

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

2EU1KOS1.exen9P7lw07.exeDesktopDocuments-tupe1.8.5.3.exe

pid process

1912 2EU1KOS1.exe
1516 n9P7lw07.exe
1564 DesktopDocuments-tupe1.8.5.3.exe
Loads dropped DLL 9 IoCs

Processes:

Setup.exe2EU1KOS1.exe

pid process

1172 Setup.exe
1172 Setup.exe
1172 Setup.exe
1172 Setup.exe
1172 Setup.exe
1172 Setup.exe
1172 Setup.exe
1912 2EU1KOS1.exe
1912 2EU1KOS1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1912	2EU1KOS1.exe
1516	n9P7lw07.exe
1564	DesktopDocuments-tupe1.8.5.3.exe

pid	process
1172	Setup.exe
1172	Setup.exe
1172	Setup.exe
1172	Setup.exe
1172	Setup.exe
1172	Setup.exe
1172	Setup.exe
1912	2EU1KOS1.exe
1912	2EU1KOS1.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\2EU1KOS1.exe	upx
\Users\Admin\AppData\Roaming\2EU1KOS1.exe	upx
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe	upx
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe	upx
behavioral1/memory/1912-103-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral1/memory/1912-105-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe	upx
behavioral1/memory/1912-120-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe	upx
\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe	upx
C:\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe	upx
behavioral1/memory/1912-130-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral1/memory/1564-132-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral1/memory/1564-133-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral1/memory/1564-134-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2EU1KOS1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	2EU1KOS1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopDocuments-tupe1.8.5.3 = "C:\\ProgramData\\DesktopDocuments-tupe1.8.5.3\\DesktopDocuments-tupe1.8.5.3.exe"	2EU1KOS1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe

pid process

1172 Setup.exe
1172 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Setup.exe

pid process

1172 Setup.exe

pid	process
1172	Setup.exe
1172	Setup.exe

pid	process
1172	Setup.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Setup.exen9P7lw07.execmd.exe2EU1KOS1.exe

description	pid	process	target process
PID 1172 wrote to memory of 1912	1172	Setup.exe	2EU1KOS1.exe
PID 1172 wrote to memory of 1912	1172	Setup.exe	2EU1KOS1.exe
PID 1172 wrote to memory of 1912	1172	Setup.exe	2EU1KOS1.exe
PID 1172 wrote to memory of 1912	1172	Setup.exe	2EU1KOS1.exe
PID 1172 wrote to memory of 1516	1172	Setup.exe	n9P7lw07.exe
PID 1172 wrote to memory of 1516	1172	Setup.exe	n9P7lw07.exe
PID 1172 wrote to memory of 1516	1172	Setup.exe	n9P7lw07.exe
PID 1172 wrote to memory of 1516	1172	Setup.exe	n9P7lw07.exe
PID 1516 wrote to memory of 812	1516	n9P7lw07.exe	cmd.exe
PID 1516 wrote to memory of 812	1516	n9P7lw07.exe	cmd.exe
PID 1516 wrote to memory of 812	1516	n9P7lw07.exe	cmd.exe
PID 812 wrote to memory of 1388	812	cmd.exe	choice.exe
PID 812 wrote to memory of 1388	812	cmd.exe	choice.exe
PID 812 wrote to memory of 1388	812	cmd.exe	choice.exe
PID 1912 wrote to memory of 1564	1912	2EU1KOS1.exe	DesktopDocuments-tupe1.8.5.3.exe
PID 1912 wrote to memory of 1564	1912	2EU1KOS1.exe	DesktopDocuments-tupe1.8.5.3.exe
PID 1912 wrote to memory of 1564	1912	2EU1KOS1.exe	DesktopDocuments-tupe1.8.5.3.exe

C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe
"C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1912

C:\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe
"C:\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe"
3⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
"C:\Users\Admin\AppData\Local\Temp\n9P7lw07.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe
Filesize
418.9MB

MD5
551a0e800ef11f308aba18a88293beee

SHA1
400d8cf78d334279360175bf658967b37031f40b

SHA256
104201564f298782134564e4abf4d754bc0f1da0f6e5469bc3769a1f4b6cc471

SHA512
595431c45d8f1b848d8cead1956b9e925c147bda4f14ceb738ca1840dc84dac707810c99084b72f9584ebc1fbfceeed0804c97944448405aecb7dbab82fac0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe
Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe
Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
C:\Users\Admin\AppData\Roaming\2EU1KOS1.exe
Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe
Filesize
512.3MB

MD5
8f130f1ec2e0c3bbdcb751ef62eb3481

SHA1
c262246a51befced318eee02915f6256884ff7e6

SHA256
aa2c275ff3d662676ca1a11dd4ed86f48a39350bc0fe0198ec8d4abe2af3e3ce

SHA512
975453b9968bbad1e4db58ac2e39186b93c6b9d5ebdc6bcd637c316c0d870a1ffefa3c6d5819c4fde68cda90bf5814146083317287b4f0f61a66e3823fd3876d

Download Submit
\ProgramData\DesktopDocuments-tupe1.8.5.3\DesktopDocuments-tupe1.8.5.3.exe
Filesize
473.5MB

MD5
c5bcbce850173b155ea045766887b920

SHA1
3c8bede00473399e67b7692dbac21453213f9f56

SHA256
28407169fe57200ea223ba2ae2e511849ed1da2d7367748d01d9e7539133d442

SHA512
4eaab0e4ca3ff2a703e899723b1ecf0566f3e48aa12d57cbcec6b530951fe729172f0b7dfe10f466f24a7e287b0ba12f3ad1b691de6cf9d4dce5bc1a9691c6d4

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
\Users\Admin\AppData\Local\Temp\n9P7lw07.exe
Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
\Users\Admin\AppData\Roaming\2EU1KOS1.exe
Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
\Users\Admin\AppData\Roaming\2EU1KOS1.exe
Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
memory/1172-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1172-57-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1172-60-0x0000000000400000-0x0000000001B75000-memory.dmp

Filesize
23.5MB

Download
memory/1172-104-0x0000000004E30000-0x000000000588A000-memory.dmp

Filesize
10.4MB

Download
memory/1172-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1172-94-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1172-59-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1172-106-0x0000000004E30000-0x000000000588A000-memory.dmp

Filesize
10.4MB

Download
memory/1172-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1172-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1516-117-0x0000000000A40000-0x000000000188F000-memory.dmp

Filesize
14.3MB

Download
memory/1564-132-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1564-133-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1564-134-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1912-103-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1912-130-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1912-120-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1912-105-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download